IT for Law Firms, CPAs, and Professional Offices on the Central Coast: A 2026 Guide

The professional offices I work with on the Central Coast, law firms in Salinas and Monterey, CPA and accounting practices, financial advisors, insurance agencies, and consultancies, all share a quiet tension. They are in the trust business. A client hands over their most sensitive information, their finances, their legal exposure, their family details, and trusts the firm to protect it. And yet the IT that holds all of that often grew the way the practice did: a server in a closet, email that has worked fine for a decade, a document system someone set up years ago, and a VPN that mostly works until the day it does not.

This post is the version of the conversation I have over coffee with a managing partner or a firm administrator. The framing is six layers, and the theme running through all of them is that your confidentiality and your handling of client money are not just operational concerns, they are ethical and legal duties with regulators and bar associations behind them. The good news is that the controls that satisfy those duties are the same ones that keep you out of the headlines, and they are well within reach for a small firm with the right help. A DoD-cleared engineering background is the right lens here, because protecting privileged client data deserves the same discipline as protecting government data.

Why professional-services IT is different from generic SMB IT

A generic small business sells a product and protects its own data. A professional office is entrusted with other people's most sensitive information and, frequently, other people's money. A law firm holds privileged matter files and runs a client trust account. A CPA firm holds Social Security numbers, full financial pictures, and bank details for every client, and is legally a financial institution under federal rules. A financial advisor or insurance agency holds account and beneficiary data. The exposure is not theoretical, and the obligations are written down.

Concretely, professional-services IT differs from generic small-business IT in five ways:

• Confidentiality is the product. A breach is not just downtime; it is a violation of a client's trust, and potentially of privilege, a fiduciary duty, or a bar rule.
• You move other people's money. Trust-account disbursements, settlements, escrow and closing wires, and client refunds are exactly what business email compromise targets.
• You are regulated as a data custodian. The FTC Safeguards Rule, GLBA, the IRS WISP requirement, CCPA, and the bar's technology-competence duty all apply to how you handle client data.
• Your work has hard deadlines. A filing date, a statute of limitations, a tax deadline, or a closing does not move because your VPN went down.
• Your busy season is the attacker's busy season. Phishing waves are timed to tax season and filing crunches, when your team is rushed and least careful.

The six IT layers a professional office needs

Layer 1: Identity and email security

This is the layer that protects the money and the data, and for most professional offices it is the highest-value place to spend first. The mailbox is where wire instructions arrive, where confidential documents flow, and where attackers focus their effort. The baseline:

• MFA on every account — Microsoft 365, the document and practice-management systems, the bank, and any client portal. Phishing-resistant MFA where it matters most.
• Monitored email security that catches spoofing, lookalike domains, and the compromised-vendor emails behind business email compromise.
• A verify-by-phone rule for any wire, disbursement, or change to payment details, with documented two-person approval.
• Conditional Access and named accounts, with no shared logins, so every action is attributable.
• Regular, short security-awareness training, intensified before tax season and filing crunches.

The MFA fatigue post and the identity hardening post cover the account side, and the Teams help-desk impersonation post covers a social-engineering pattern aimed squarely at office staff.

Layer 2: Client confidentiality and document security

Matter files, engagement files, and client records are confidential and often privileged, and protecting them is both a duty and a differentiator. The controls are least-privilege access so people reach only the matters or engagements they work on, ethical walls where a conflict requires separation, encryption everywhere so a lost laptop is not a disclosure, and a real handle on where client data actually lives, in the document-management system, not scattered across desktops, personal email, and consumer file-sharing. The departing-associate problem, someone copying the matter file on the way out, is solved here with access control, offboarding, and export monitoring rather than after the fact.

Layer 3: Microsoft 365 hardening

Almost every professional office runs on Microsoft 365, and almost none of them have it configured the way it should be. Out of the box it ships with powerful security features turned off, sharing wide open, and no retention policy. Hardening it, enabling MFA across the tenant, anti-phishing and safe-links, audit logging, sensible external-sharing limits, retention and legal hold, and app-consent controls, is one of the highest-return projects a firm can do, and most of it costs nothing beyond the licensing you already pay. The Microsoft 365 settings post walks the specific settings to turn on first.

Layer 4: Compliance you can actually show

Professional offices operate inside a stack of frameworks, and the common failure is not a missing control, it is a control that exists but cannot be demonstrated. We dig into the specifics below, but the short list: the FTC Safeguards Rule and the IRS WISP requirement for anyone handling tax or financial data, GLBA for CPAs and financial advisors, the bar's confidentiality and technology-competence duties for lawyers, CCPA and CPRA for California client data, SOC 2 readiness for consultancies serving enterprise clients, and the cyber-insurance questionnaire that ties them all together. The vCIO service is where we map your specific obligations to the IT controls and write the plan the frameworks require.

Layer 5: Multi-office and hybrid connectivity

Professional work is increasingly hybrid, and a deadline does not care that your one internet circuit is down. The pattern that holds up is business-class internet with a documented SLA plus a cellular failover on a different carrier at each office, a cloud-first design so the core work does not depend on a single fragile VPN back to one server, and secure, performant remote access for the attorneys, accountants, and staff working from home or a second office. The network design service page covers the multi-office and hybrid approach.

Layer 6: Backup and continuity

The records that have to survive a bad day: the document-management system, email, the practice- or case-management platform, accounting and trust-accounting records, and client files. Independent, tested backup of Microsoft 365 and the document system is non-negotiable, because the vendor backs up their platform for their resilience, not for your accidental deletion or a compromised admin account. And continuity means PG&E: the Central Coast sits under the Public Safety Power Shutoff program, so UPS on the network gear, a documented runbook for working through an outage, and a tested recovery plan keep a deadline from becoming a malpractice question. The backup and disaster recovery service page and the cyber-insurance renewal checklist cover the continuity and underwriting angles.

The FTC Safeguards Rule and the IRS WISP: not optional for tax and financial firms

This deserves its own section because so many small CPA, tax, and advisory firms still believe these rules are for big institutions. They are not. The FTC Safeguards Rule, the data-security regulation under the Gramm-Leach-Bliley Act, defines "financial institution" broadly enough to include tax preparers, CPAs, bookkeepers, and others significantly engaged in financial activities. Tax preparation firms are named as an example in the rule itself. Separately, the IRS requires every paid preparer with a PTIN to maintain a Written Information Security Plan, a WISP, and provides guidance in Publications 4557 and a sample template in 5708.

In practical terms, the program these rules require includes:

• A designated qualified individual who owns the security program.
• A written risk assessment and a written information security plan, not a verbal understanding.
• Multi-factor authentication on any system that accesses, stores, or transmits client information.
• Encryption of client data at rest and in transit.
• Access controls on a least-privilege basis, with logging.
• Vendor oversight, so your cloud and software providers meet the same bar.
• Staff training and a written incident-response plan.

The stakes are real. The IRS can revoke a PTIN over a missing WISP, effectively ending a preparer's ability to file. The FTC can pursue civil penalties that run into the tens of thousands of dollars per violation per day. And a data-loss event triggers breach-notification obligations regardless. The reassuring part is that almost every item on that list is also just good IT hygiene, the same MFA, encryption, access control, and backup we would recommend anyway, plus the written plan that documents it. We help firms implement the controls and produce the WISP that ties them together.

The lawyer's duty: confidentiality and technology competence

For law firms specifically, the obligations come from the rules of professional conduct as much as from any statute. ABA Model Rule 1.6 requires a lawyer to make reasonable efforts to prevent the unauthorized disclosure of client information, and the duty of competence has been widely interpreted, through Comment 8 to Model Rule 1.1 and California's own guidance, to include a reasonable understanding of the technology a firm uses. In plain terms, "I didn't understand the IT" is not a defense if client confidences are exposed through controls a competent firm would have had in place.

That makes the security baseline above a professional-responsibility issue, not just an IT preference: MFA, encryption, access control, a tested backup, and a sensible incident-response plan are the reasonable efforts the rule contemplates. The FBI has also specifically warned that extortion groups target law firms for exactly the confidential data they hold, which we covered in the post on the Silent Ransom Group targeting law firms.

The patterns hitting professional offices right now

Business email compromise and wire fraud

The headline threat for any office that moves money. A spoofed or genuinely compromised email changes wire instructions on a settlement, a closing, or a client disbursement, and the funds vanish. For a law firm, a misdirected trust-account wire is also a bar problem. The defense is monitored email, MFA, and an absolute verify-by-phone rule for any money movement.

The tax-season phishing wave

Accounting and tax firms see a predictable surge of phishing during filing season, often impersonating clients sending "documents" or the IRS. The combination of volume and time pressure is the point. MFA, monitored email, and a pre-season training refresh are the counters.

The departing associate with the file

An associate or staff member leaves and copies the matter or engagement file. Least-privilege access, same-day offboarding, enforced encryption, and export monitoring keep the firm's, and the client's, data where it belongs.

The deadline-day outage

The VPN or the internet goes down on a filing day, and the whole office stops. Redundant connectivity, a cloud-first design, and a documented failover runbook turn a crisis into an inconvenience.

Office IT baseline for a professional firm

• Microsoft 365 Business Premium per user, hardened, with EDR, MDM, and identity protection included. See the Microsoft 365 settings post.
• Monitored email security and 24/7 detection, because the mailbox is the target.
• A properly configured document-management or practice-management platform with least-privilege access.
• Business-class internet with SLA and cellular failover at every office.
• MFA, enforced encryption, and MDM on every device that touches client data.
• Tested, independent backup of Microsoft 365 and the document system.
• A written security plan (WISP where required) and an incident-response plan.

The full program lives on the managed IT services page, with the security engineering on the cybersecurity page.

What we steer professional offices away from

• Approving wires or payment changes by email. The single most expensive habit in professional services. Every change gets a phone call.
• Client files in personal email or consumer file-sharing. Outside your control, your audit trail, and any framework a regulator or insurer will accept.
• Shared logins. No attribution, no offboarding control, a compliance and cyber-insurance finding.
• Assuming Microsoft 365 is secure out of the box. It ships open; it has to be hardened.
• Treating the WISP as a someday task. It is required now for anyone handling tax or financial data.
• One aging server and one VPN appliance as the single point of failure for the whole firm.
• A backup nobody has test-restored. Especially the document system that holds every matter.

A realistic budget for a Central Coast professional office

Numbers for a representative 15-person firm, attorneys or CPAs plus support staff, one or two offices with some hybrid work, running Microsoft 365 and a cloud document or practice-management system. Monthly, all-in:

• Microsoft 365 Business Premium: 15 users × $22 = $330
• MDR / managed security and email protection: 15 users × $25 = $375
• Managed IT (help desk, patching, backup, identity hardening): 15 users × $150–$200 = $2,250–$3,000
• Business internet + cellular failover (per office): $300–$700
• Managed firewall: $150–$400
• Independent backup (Microsoft 365 + document system): $150–$400

Total monthly IT spend lands roughly between $3,500 and $5,500 per month for a 15-person office, before hardware and before one-time compliance work such as building the WISP. The biggest mover is the per-user managed IT line. For comparison: a single successful business email compromise against a professional firm routinely runs from tens of thousands of dollars into six figures and is often unrecoverable, an FTC Safeguards or WISP failure carries real penalty exposure, and a breach of client confidence can cost the relationships the firm is built on. The IT budget is a fraction of one bad incident.

Where this fits

• The professional services and SMB office IT service page, for the full Ghosxt program.
• The cybersecurity service page, for the underlying security stack.
• The IT consulting and vCIO page, for compliance mapping and writing the WISP.
• The backup and disaster recovery service page, for the continuity layer.
• The FBI Silent Ransom Group post, for the extortion threat aimed at law firms.
• The cyber-insurance renewal checklist, for the underwriting questions you will face.
• The property management IT post, for the closely related wire-fraud and trust-money patterns.
• The 2026 ransomware post, for the attacker side.

We support law firms, CPA and accounting practices, advisors, and professional offices across Salinas, Monterey, Santa Cruz, San Jose, Carmel, and Pacific Grove, and the rest of the Central Coast.

FAQs about IT for professional offices

We're a small CPA or tax firm. Does the FTC Safeguards Rule and the IRS WISP really apply to us?

Yes, regardless of how small you are. The FTC Safeguards Rule treats tax preparers, CPAs, and bookkeepers who handle client financial information as financial institutions, and the IRS requires every paid preparer with a PTIN to maintain a Written Information Security Plan, a WISP, described in IRS Publications 4557 and 5708. In practical terms that means a designated security coordinator, a written risk assessment, multi-factor authentication on systems that touch client data, encryption at rest and in transit, vendor oversight, staff training, and an incident-response plan. The IRS can revoke a PTIN over a missing plan, and the FTC can pursue civil penalties that run into the tens of thousands of dollars per violation per day. A one-person tax shop and a fifty-person firm are both covered; only the scale of the program differs.

A client emailed asking us to change where their funds or settlement go. How do we know it's real?

Treat it as fraud until you have confirmed it out of band. Business email compromise aimed at the money a professional office moves, a law firm's client trust account, a settlement disbursement, an escrow or closing wire, is the single most expensive attack we see hit professional firms, and it almost always arrives as a believable email from a real-looking address or a genuinely compromised mailbox. Never act on wire or payment-change instructions from email alone. Call the client or counterparty back on a number you already had on file, confirm with a person you know, and require documented two-person approval for any disbursement or change to payment details. One verification call is far cheaper than a misdirected trust-account wire, which is often unrecoverable and can become a bar complaint.

An associate left and took a copy of the matter or client file. Can we prevent that?

Largely, yes, with access control and monitoring. Matter files, engagement files, and client records are confidential and often privileged, and a departing associate or staff member with broad access and nothing watching can copy years of work on the way out. The controls are named accounts with least-privilege access so people reach only their matters or engagements, ethical walls where a conflict requires them, a documented same-day offboarding checklist that revokes email, document-management, and VPN access the moment someone gives notice, enforced device encryption so a synced copy is unreadable off a personal laptop, and export or data-loss monitoring that flags a bulk download. The engagement letters and employment agreements matter legally, but the technical controls are what actually stop the copy.

Our whole office stops working when the VPN goes down, and it always seems to happen at a deadline. What's the fix?

A filing deadline, a tax due date, or a closing does not move because your internet did, so the fix is to remove the single points of failure. That means business-class internet with a documented SLA plus a cellular failover on a different carrier, a cloud-first design so the core work does not depend on one fragile VPN tunnel back to a single office server, and a documented runbook for working from a backup location or over a hotspot when a site goes dark. Most deadline-day outages we get called about trace to one aging internet circuit and one overloaded VPN appliance, both of which are straightforward to make resilient once someone owns the design.

Is email security really our biggest risk?

For most professional offices, yes. The mailbox is where the money moves and where the confidential data flows, which makes it the primary target. Two patterns dominate: business email compromise aimed at payments and wire instructions, and phishing waves timed to your busy season, tax season for accountants, filing crunches for law firms, when staff are rushed and more likely to click. The defenses are multi-factor authentication on every account, monitored email security that catches spoofing and lookalike domains, a verify-by-phone rule for any money movement, and short, regular training so the team recognizes the season's lures. The firewall protects the office; email security protects the thing attackers actually want.

We use a cloud document system and Microsoft 365. Doesn't that make us compliant and secure?

Those tools make compliance and security possible; they do not deliver it on their own. Microsoft 365, a cloud document-management system, and a practice-management platform all give you the controls, multi-factor authentication, encryption, role-based access, audit logging, retention, but turning them on, configuring them correctly, monitoring them, and writing the security plan that frameworks like the FTC Safeguards Rule require are still your responsibility under the shared-responsibility model. We routinely find firms paying for capable platforms with MFA half-deployed, sharing wide open, no retention policy, and no written plan. The subscription is the toolbox; the security program is what you build with it.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.